Why we can’t trust smartphones anymore

A new class of security problem is caused by smartphone makers that create vulnerabilities deliberately without telling customers.

The iOS Settings app has always enabled users to turn Wi-Fi and Bluetooth on or off.

When you turn off Wi-Fi and Bluetooth in Settings, iOS disconnects the phone from whatever Wi-Fi networks or Bluetooth devices that phone happens to be connected to, then turns off the Wi-Fi and Bluetooth radios inside the phone to prevent any possible use of Wi-Fi or Bluetooth with that phone. Wi-Fi and Bluetooth stay off until the user turns them back on.

This is how users expect it to work, and how it in fact does work.

As a convenience, Apple four years ago rolled out the Control Center for iOS 7. Available today with a swipe up from the bottom of the phone (on all phones except the new iPhone X, which conjures the Control Center with a swipe down on the right side of the screen), Control Center lets users more quickly toggle Wi-Fi and Bluetooth on or off, among other functions.

Apple wisely placed this wireless toggling on the Control Center because there are many reasons to turn them on or off quickly and frequently. For example, turning off Wi-Fi and Bluetooth saves battery life.

There’s just one problem: While the Control Center controls disconnect the phone from Wi-Fi networks and Bluetooth devices, it doesn’t turn off Wi-Fi or Bluetooth.

When Wi-Fi or Bluetooth are turned off from the Control Center, iOS 11 automatically reconnects to new hotspots or Bluetooth devices if they appear within range. Or if the phone is restarted. Or if 5 a.m. happens. (That’s right. At 5 a.m., the phone will automatically reconnect to the very Wi-Fi and Bluetooth resources the user actively disconnected from.)

Turning off Wi-Fi and Bluetooth in Settings is absolute and persistent. But “turning off” Wi-Fi and Bluetooth in Control Center is an illusion. Wi-Fi and Bluetooth remain on and functioning.

(Apple didn’t respond to my request for comment.)

Users naturally assume that Wi-Fi and Bluetooth toggling in Control Center is identical to the same action in Settings, when in fact they’re completely different. (Apple informed users of this difference only on an obscure Help page, which Apple knows the vast majority of iPhone users will never see or know about.)

Apple’s Control Center behavior exists to enable fast disconnection from networks and resources while continuing to enable features such as AirDrop, Personal Hotspot and Handoff and to favor Apple peripherals such as Apple Pencil and Apple Watch. It exists for ease of use and convenience and was the right thing to do.

But failing to very clearly inform users that the Control Center Wi-Fi and Bluetooth toggling doesn’t do what Settings does was the wrong thing to do.